Google Patches Critical Vulnerabilities in Android

Google has patched another series of Critical vulnerabilities in Android, including a remote code execution (RCE) flaw in mediaserver and several elevation of privilege (EoP) issues in various drivers and components.

The Internet giant included 16 security patches for 19 vulnerabilities in this month’s Nexus Security Bulletin, which is the eighth monthly update coming from the company since the Stagefright flaw was discovered in July last year to affect nearly 1 billion devices.

The Security Bulletin reveals that seven of these vulnerabilities were rated Critical, ten were rated High, and two Moderate. While many of these flaws were EoP issues, Google also resolved information disclosure bugs in the mobile OS, along with a mitigation bypass vulnerability, and a remote denial of service flaw.

Fortunately, Google said it has not had any reports of active customer exploitation of the newly patched vulnerabilities.

The new set of security updates for Android once again resolves vulnerabilities in mediaserver, the platform component that was affected by Stagefright and Stagefright 2.0 last year. This month, Google patched two RCE issues in it (CVE-2016-0815 and CVE-2016-0816), which could be exploited during the processing of a specially crafted media file, and which affect Android 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1.

The vulnerability in Conscrypt could allow a specific type of invalid certificate, issued by an intermediate Certificate Authority (CA), to be incorrectly trusted, which may enable a man in the middle attack. The other three could enable a local malicious application to execute arbitrary code within the kernel, with CVE-2016-0819 and CVE-2016-0728 possibly resulting in permanent device compromise.

Of the 10 High risk flaws resolved in the March Nexus Security Bulletin, one is a mitigation bypass vulnerability in the kernel (CVE-2016-0821), one a remote denial of service bug in Bluetooth (CVE-2016-0830), one EoP issue in MediaTek connectivity driver (CVE-2016-0822), and two EoP flaws in mediaserver (CVE-2016-0826 and CVE-2016-0827).

Google also patched information disclosure vulnerabilities in kernel (CVE-2016-0823), libstagefright (CVE-2016-0824), Widevine (CVE-2016-0825), and mediaserver (CVE-2016-0828 and CVE-2016-0829). Most of these flaws affect Android 6.0 and 6.0.1 releases, but the ones in mediaserver were found in all Android versions starting with 4.4.4.

All of these issues have been addressed in Android Build LMY49H or later and Android 6.0 with Security Patch Level of March 1, 2016 or later, Google notes. The company notified its partners on these issues on February 1, 2016 or earlier and plans on publishing the source code patches for these issues to the Android Open Source Project (AOSP) repository in the next couple of days.

In August 2015, Google committed to regular, monthly updates for Nexus devices, and partner manufacturers such as Samsung and BlackBerry also announced plans to follow Google’s footsteps.